Chasing the ghost in the machine

On one project I was brought in to try to find out how internal, proprietary and confidential information was being leaked out of the company. This was a case of corporate espionage.

The security people inside the company were completely clueless. They monitored the network and firewall to try to find where the leak was coming from. They tried for several months and by the time I was brought in they didn’t even know whether it was someone that have penetrated them from the internet or an internal job.

The problem was that the security department people in this particular company where not information security people, they were IT employees with some security training. This is not good. Don’t get me wrong, IT people can be really good, but in the security world you have to think like your opponent in order to catch them.

I set to work. I installed and configured honeypots in different parts of the network to simulate the actual servers where the sensitive information was stored, I placed a monitoring application that would log any netbios, ftp, http, rpc, etc requests that were made, I configured logging services for all the servers, firewalls, routers, etc, etc. After a week of collecting data we, a friend helping me and I, analyzed the data.

Nothing.

Not a single trace of anything coming in or going out.

How in the hell were they extracting the data? There were two ways that they could be using at this point: alternate channels or physical extraction.

With alternate channels the bad guy could, theoretically, hide information within TCP packets, DHCP requests, ICMP requests and other less used protocols. This is tedious and due to the small amount of data that can be transmitted per packet it would take a long time to extract the information. With a physical extraction all you need to do is copy the files to a USB thumbdrive or print the information and just take it with you.

I had the communications in and out of the servers monitored and there was no evidence that the bad guy was copying the files over the network, still I added deep packet inspection to the communication going to and from the server and out of the company. It is tedious work to analyze the logs of this kind of monitoring, but it was worth trying. After another week and more information leaked I had to agree that the only possible way was a physical extraction.

That was easy. Mount a checkpoint at the exit of the company’s building and check each employee as he or she comes out. If you find CDs, USB disk or any other connectivity device check it. The fist day we couldn’t find anything. There were no leaks for the following month. So I decided to experiment. I removed the checkpoint and waited for10 days. The leak resumed. I then installed across the network software that can monitor the insertion of CD’s or USB drives. It would send me and the security director an email and an SMS (Text message) immediately when this happened.

Four days later we had the exact server the bad guy was using and the time. We installed a hidden camera over the server and we waited. The next day we got him.

The physical security guys waited for him at the exit of the building. When we searched him we found nothing on him. I was mad at this point so I requested to see each item he was carrying. Having hidden stuff in different object myself I wanted to check each piece of gear this guy was carrying.

We found a USB drive hidden inside the coffee mug. He wrapped it in plastic and dumped it there. The mug was of course filled with cold coffee.

Got you!

That’s the kind of things some bad guys do.